How to Use your Own DNS Servers When your Host Intercepts

To access Web sites using friendly names such as www.google.com, your Web browser must translate that name into an IP address so it can make the request. This lookup is similar to finding a telephone number in a telephone book by looking for that party’s name.

 

These requests are called DNS (Domain Name Server) lookups. Typically these are made to a DNS server using TCP/UDP port 53.

ISP Port 53 DNS Reroute via Mandatory Proxy

However, many Internet Service Providers (ISP’s), especially mobile broadband providers, intercept all port 53 traffic and redirect it to their own DNS. So even if you change the DNS addresses on your computer, say to Google’s public DNS of 8.8.8.8 and 8.8.4.4, it doesn’t matter. When this traffic passes through your ISP’s mandatory proxy, it will route the request on port 53 to its own DNS.

Why Should I be Concerned With a DNS Proxy?

So under normal circumstances, when the ISP’s DNS is functioning properly, this is not an issue. However, if the ISP’s DNS fails to respond to requests, then you will start getting DNS resolve errors in your Web browser. Different Web browsers report different messages in this case. The only one I have seen that actually tells you the DNS lookup failed is the Google Chrome browser. So depending on the browser you may not be able to tell (from the browser message) that it is a DNS issue.

How can I tell if my ISP is Intercepting my Port 53 DNS Traffic?

There are some tools available to check what DNS is actually used when making requests. Berkley.edu has a tool, and there are some others. These tools work in various ways. Some make a series of DNS requests to DNS addresses they monitor, and see if those addresses actually receive the requests.

Why do ISP’s Reroute Port 53 DNS Traffic?

There are various reasons. Sometimes it is so that the ISP can block access to certain types of sites. For example, a company using a given ISP might not want its employees to be able to access Twitter.com. So they can simply not return an IP address when the DNS receives requests for Twitter.com, or it can return an IP address that when visited simply says ‘access denied’ or the like. Sometimes ISP’s reroute the DNS requests to take advantage of certain types of caching and other bandwidth saving capabilities.

How Can I Use a Different DNS?

So as we have already seen, the blind or mandatory proxy may make it impossible for you to use a different DNS, at least on port 53. On Windows, it is not easy to change the port for DNS requests to something other than port 53. I was having this problem with Sprint Mobile Broadband, so here is the workaround I used.

Another thing I did, initially, before I got the solution working below, was to do DNS lookups through a Linux window in Putty, then put the IP address and name into the Windows hosts file. I couldn’t even get to the site to download Acrylic until I did this step.

Install a DNS Proxy

There are many different software packages you can use on Windows to use your own DNS servers. After comparing various packages including BIND, PowerDNS, and others, I settled on a program called Acrylic.

Acrylic is a fairly lightweight DNS that will run on Windows. I am using it on Windows 7 Ultimate and it is working great.

Configure the DNS Proxy

Next, we must configure the DNS proxy. The main reason we are using a DNS proxy for Windows is so that we do not have to try to change Windows to use a port other than 53 for DNS lookups.

But, in order to prevent our ISP from intercepting our port 53 traffic, we must find a DNS we can route requests to that will accept DNS traffic on a port other than port 53. So after some searching, I found some a few DNS that will accept requests on port 110 at the German Privacy Foundation. I haven’t tried it myself, but OpenDNS servers supposedly listen on port 5353 (IP’s are 208.67.222.222, 208.67.220.220). If you have a Web server or are otherwise inclined, you could set up your own DNS server on a different port than 53 using BIND.

Important note: You must be able to trust the DNS you select. Because if the DNS returns malicious or an otherwise incorrect IP address for a request, you might think you are logging in to your bank account, while you are actually connected to a server intended to steal your bank account information.

Configure Acrylic in to use the Port 110 DNS

Now, I edited the Acrylic ini file to use the port 110 DNS. Acrylic lets you specify up to three DNS addresses, so I put in all three, like this:

[GlobalSection]
;
; The IP address of your primary DNS server (required).
; Upon installation contains the address of the primary OpenDNS server.
;
PrimaryServerAddress=87.118.100.175
;
; The UDP port your primary DNS server is supposed to be listening to. The
; default value of 53 is the standard port for DNS resolution. You should
; change this value only if you are using a non standard DNS server.
;
PrimaryServerPort=110
;
; You can decide to ignore negative responses coming from the primary
; server by uncommenting the following line.
;
; IgnoreNegativeResponsesFromPrimaryServer=Yes
;
; The IP address of your secondary DNS server (optional).
; Upon installation contains the address of the secondary OpenDNS server.
;
SecondaryServerAddress=94.75.228.29
;
; The UDP port your secondary DNS server is supposed to be listening to. The
; default value of 53 is the standard port for DNS resolution. You should
; change this value only if you are using a non standard DNS server.
;
SecondaryServerPort=110
;
; You can decide to ignore negative responses coming from the secondary
; server by uncommenting the following line.
;
; IgnoreNegativeResponsesFromSecondaryServer=Yes
;
; The IP address of your tertiary DNS server (optional).
;
TertiaryServerAddress=62.75.219.7
;
; The UDP port your tertiary DNS server is supposed to be listening to. The
; default value of 53 is the standard port for DNS resolution. You should
; change this value only if you are using a non standard DNS server.
;
TertiaryServerPort=110
;

 

Then you must restart the Acrylic service to use the new DNS addresses.

Change DNS Server in Windows IPv4

Next I went into networking to change the DNS that Windows uses for lookups. I went into Network and Sharing Center, then clicked my Internet connection, then clicked properties, then clicked Internet Protocol Version 4 (TCP/IPv4), then clicked properties. See the image to the right for details.

 

Then, in the IPv4 properties, I ticked the radio button that says “Use the following DNS server addresses”. Then I entered 127.0.0.1 for the preferred DNS server. I left the alternate DNS server blank. See the image to the right for details.

Then I clicked OK. And my DNS timeout problems were resolved. So before I made the changes above, my computer was trying to do DNS lookups through my ISP’s DNS, which was having major issues at the time. After I made the changes above, my computer does DNS lookups through Acrylic. Acrylic then either returns the IP from its cache, or it does a lookup against the three DNS addresses we entered above, but with an important caveat: Acrylic is connecting to port 110 on those DNS addresses (not port 53), so my ISP does not reroute the traffic. And hence, the DNS lookup actually works, and I am able to use my web browser in peace!

It might seem like a lot of steps to go through just for the simple DNS lookups. And in an ideal world it would not be necessary. But since many hosts intercept the port 53 traffic, this is one possible workaround. It can potentially speed up your Web browsing as well, since if Acrylic (or the DNS proxy / resolver of your choice) is configured to cache lookups, it can return the IP address for a lookup much faster than if it has to query a DNS over the internet.

Notes about Caching DNS Responses

However, cached DNS entries should really respect the TTL (time to live) of the response. For example, if the response contains a TTL of 86400 seconds, then the DNS should requery after that period of time, in case the IP address has changed. Many IP addresses are static for many years, but many sites also use reverse proxies, content distribution networks, and other features where the IP address could change several times a day, or for other reasons.

Leave a Reply